藉由最大化程式碼覆蓋範圍以揭發惡意程式行為

Abstract

隨著大量新的惡意程式產生，分析人員必須仰賴自動化的工具以減少人工分析所花費的時間。然而因為多數的惡意程式都包含反靜態分析的工具，如加殼、程式碼混淆，現今主流的自動分析工具多採用動態分析，也就是在一個受控制的環境中執行欲分析的程式，藉由側錄該程式在環境中所展現的行為以提供分析人員判斷的依據。然而因為這類的分析工具只能觀察到一次執行所產生的結果，某些被刻意隱藏起來的惡意行為因此不被發現，進而造成分析人員的誤判。為了增加分析結果的涵蓋範圍，之前的研究提出了多重執行路徑分析的方法，迫使被分析程式可以執行原先並未執行過的程式路徑，並展現其被隱藏的行為。但這類方法必須仰賴分析人員提供被分析程式的輸入方式，才能藉由不同數值的輸入，改變程式的執行狀態。在本篇研究中，我們設計了一個系統，藉由分析曾經被執行過的指令，自動地反推敲出可以改變執行結果的程式輸入，由此嘗試執行所有未被執行過的程式碼，揭發惡意程式被隱藏的行為。我們分析了一定數量的惡意程式，結果顯示我們的系統能夠自動的找到可觸發被隱藏行為的程式輸入，並透過最大化程式碼的覆蓋範圍，達到揭發惡意程式中被隱藏行為的目的。

To cope with a large number of new malware created each day, analysts rely on tools to determine the capabilities of malware program. These tools typically follow dynamic approach, executing the sample in a controlled environment and observing its behaviors. However, because the analysis is based on single execution result, these tools cannot cover the code responsible for a hidden behavior. To mitigate this problem, multiple path execution is proposed to increase the code coverage of dynamic malware analysis. Before the system can trigger a hidden behavior, analysts should properly define the program inputs. Unfortunately, malware could use arbitrary data source as its trigger input. In this paper, we propose an automatic trigger scheme (ATS) that is able to automatically identify the trigger input source for uncovered code. By rewriting the input value, our system is able to execute uncovered code and maximize the code coverage for hidden behavior discovery. ATS has been applied to several real world malware programs, and the result shows that ATS successfully identified the hidden behavior and the relevant trigger inputs. As a result, our approach can significantly improve the coverage of malware analysis results.